Lance Hayden is a Managing Director with the Berkeley Research Group, and a professor teaching at the University of Texas School of Information (iSchool). He has worked in information security for 25 years, beginning his career as an operations officer with the Central Intelligence Agency, and later working for FedEx, KPMG, and Cisco Systems. His latest book is People-Centric Security: Transforming Your Enterprise Security Culture.
UnboundID: The University’s iSchool just announced a new degree program, the Master of Science in Identity Management and Security (MSIMS). What is the impetus behind the program?
Hayden: To set the stage, we have to start with the iSchool and the field of information science, which is the iSchool’s domain. Information science is something of a unique concept. It covers a variety of information-related fields, including how people use information in all its forms, from books to the Internet. And it’s the interface between people and information that makes the curriculum in the school different from other fields, like traditional computer science. This new Master’s program is in response to two large societal challenges that are going on right now. First, we’re dealing with unrelenting security breaches and threats in the business community, and it’s directly related to the exposure of the identifiable information of millions of people. That data can be used for theft and fraud, all the way to espionage and warfare. We have hit an inflection point where we are not protecting the goods, the data, as well as we should.
Second, there’s the issue of privacy. How much of your identity do you get to own and control in a digital, consumerized, app-driven, socially networked society? That data is extremely valuable; it is quite literally, currency. We often don’t have insight into, much less control over, how our data is being used. And there can be quite a difference between how Americans view privacy and how people in other countries look at it, including the laws that protect it. Europe, for example, just blew up the Safe Harbor provision of the EU Privacy Directive. The ostensible reason was that they no longer trust, due to the Snowden leaks and the allegations against the National Security Agency (NSA), that the United States is adhering to the principles and values of Safe Harbor, to the point that it can’t work.
UnboundID: What will people earning this degree bring back to the business world?
Hayden: The goals of this program are to establish common definitions and understandings of what we’re talking about when it comes to identity. That term today means different things if you’re a bank, a networking company or a retailer. Otherwise you’re going to have people talking to cross purposes when we are trying to solve these issues.
The program is not designed to lead toward a particular profession, such as a technologist. People who leave the program could be attorneys, managers, marketers and virtually anyone who must deal with the interface between people, technology and information. The program has corporate, legal and security aspects to it, because we believe there is not one professional field which contains all the skills needed to own the identity management challenge.
UnboundID: Consumers seem to be in an increasingly bad position right now when it comes to being part of the online world. Is this going to change anytime soon?
Hayden: It’s funny, because I think that many consumers don’t necessarily feel like things are so bad. They think life is pretty awesome with all of these great apps and websites they can use. Many consumers don’t really think about their online communities as being dangerous. They are thinking about what they can share about themselves with their friends, families, and the world, and they may not understand that they are giving up private information as well. Or they may feel it’s worth the tradeoff or the risk. It’s not really that big of a deal anymore if my credit card numbers are stolen because I can get a new card quickly, and the bank will not hold me responsible for fraudulent charges.
There may also be a bit of an acquired helplessness going on. Even when people believe that this reality is not great, they may not feel like they can do anything about it. Other people, however, do make the choice to protect their data by locking down their profiles and securing applications. For still others, privacy may be about personal brand management. One of the interesting definitions of modern privacy I’ve heard came from a student in my class who had been partying on 6th Street, which is like the Bourbon Street of Austin. He told me that privacy for him was making sure good pictures of him ended up on his social network while bad ones were suppressed. Another student told me he really didn’t care about losing whatever was on his PC even if it was embarrassing, because he wasn’t a celebrity and so no one would care. Security and privacy it seems are both individualistic and culturally specific to those thinking about them.
UnboundID: So is there a solution to protecting consumers and preventing the bad guys from stealing data, making money from it, and sabotaging companies and institutions?
Hayden: It’s an educational issue with consumers. Identity protection and computer hacking are really just new flavors of older societal problems, particularly fraud and theft. They are scaring us right now as we struggle to figure out how to protect ourselves, our privacy, and our data. But people have to balance these worries with what to do about them. We’ve never solved problems like crime, war, or disease. We probably never will. Dollar for dollar, obesity is probably as big a global problem as cybersecurity, and that’s just a single health care issue. How do you decide where to put your limited resources? Obesity is an interesting example, too, because like security and identity, behavioral change could solve part of the problem. People need to live healthy digital lives just like they need to live healthy physical ones.
I do a lot of research and work in security culture. When security cultures compete, like when a bureaucratic security program tries to enforce strict formal policies on an entrepreneurial business trying to move fast in uncertain environments, conflicts and risks can result and become incidents. And it isn’t just security. Eric Schlosser’s book Command and Control shows how similar culture conflicts contributed to a number of accidents with nuclear weapons during the Cold War. Generals wanted weapons that would always fire on command, while safety engineers wanted weapons that would never fire on accident. These two forces are opposed and that created risk within America’s nuclear weapons program.
In privacy and security, there are some people who are going to support sharing and openness, at the risk of compromising data. Then the other side will be in favor of locking everything down, at the risk of compromising the benefits of sharing and productivity. There’s no right answer. But how much security or privacy is enough is an interesting question to ask and the UT MSIMS intends to explore it in detail.
UPCOMING WEBINAR FEATURING NEW FORRESTER RESEARCH
Tuesday, November 10
10am PT | 12pm CT | 1pm ET